James Tamplin
Co-Founder

When we launched in April, it was immediately clear that developers loved accessing their data directly from client-side JavaScript. Many people wondered, however, if data could ever be secured without running server-side code. “How do I secure my app?” was our most asked question.

We wanted to answer this right away, but security is so important that we didn’t want to announce anything until it was solid. Our requirements were clear: keep all of the parts that people love about Firebase -- real-time updates, easy development, scaling -- while adding enterprise-grade security. We've tested multiple approaches (with our awesome beta testers) and written a lot of code, and we're finally ready to show you our Security API.

We’re excited to say that not only have we met our requirements, but we believe we've built the most flexible security model of any cloud data service.

Watch our screencast for an overview:

The Big Picture

Building real-time apps is hard and scaling them is even harder. Firebase takes care of these complexities for you and lets you focus on building your app. Our new security model lets you build secure apps where clients talk directly to Firebase. This means that for many apps, you don’t need to write any server code, and it even makes running your own servers optional.

The Security API

The Firebase Security API consists of two key pieces:

1. Authentication

The authentication API lets you tell Firebase who a user is. We've designed this API to give you maximum flexibility, and we provide 3 easy methods for authenticating:

  • Server-signed auth tokens (that you generate on your own servers)
  • Our built-in Firebase Simple Login service. (This provides Email & Password, Facebook, and Twitter login out-of-the-box)
  • Third-party services (like Singly).

Update (October 3, 2014): Firebase Simple Login has been deprecated and is now part of the core Firebase library. Use these links to find the updated documentation for the web, iOS, and Android clients.

2. Security & Rules

Security and Firebase Rules tell Firebase which operations are permitted for a specific user. You upload these rules to Firebase when you deploy your app, and we enforce them consistently whenever data is accessed.

The rules are where the new API shines.

The rules themselves are simple JavaScript-like expressions. This means that you don't have to learn a new language to write them. They are also extremely flexible: you can compose your expressions using data already in a Firebase database, incoming data, auth credentials, current server time, and more.

Rules are stored as JSON on the Firebase servers. You can upload and edit them directly from our freshly redesigned graphical debugger, now called Forge:

image

Rules come in three flavors: read and write rules allow or deny operations when reading or writing, and validate rules enforce a specific schema on your data.

Below is an example set of rules. These rules were written for a website with user accounts, where anyone can read data, but users may only edit their own profiles. The rules also ensure that user data conforms to a specific schema:

{
  "rules": {
    "users": {
      "$user": {
        ".read": "true",
        ".write": "$user == auth.username",
        ".validate": "newData.hasChildren([name])",
        "name": {
          ".validate": "newData.hasChildren([first, last])",
        },
        "age": {
          ".validate": "newData.isNumber() && newData.val() >= 0"
        },
        "about_me": {
          ".validate": "newData.isString()"
        }
      }
    }
  }
}

The Firebase rules language is designed for performance and scale; its expression-based rules provides fast, predictable execution times and allow Firebase to optimize and cache the results of those expressions.

An important benefit of the Firebase security model is that it places all of your security logic in one place rather than sprinkling it around your code. Firebase then ensures that your logic is enforced consistently across all parts of your app, regardless of how data is accessed. This makes it very easy to reason about your app's security or do formal security audits. The rules also allow for static analysis, so mistakes can be caught immediately when new rules are uploaded.

For more rules details, see our documentation.

Implementation Details

When it comes to security, details matter, so we’ve taken great care with the little things. Specifically, Firebase:

  • Supports SSL on all clients
  • Uses 2048 bit keys for our SSL certificates
  • Signs authentication tokens with SHA256 HMAC signatures
  • Uses BCrypt for password storage
  • Uses the JSON Web Token Standard for credentials

(The list is actually much longer, but hopefully you get the idea). Our goal is to take care of all of the complex but mundane details of securing your app so that you can focus on your application logic and your customers (rather than, say, reading about the latest hash function vulnerabilities).

More Goodies

Security is not the only thing we’re announcing today! We’re also launching:

  • firebase.github.io - We'll put code snippets, full examples, and libraries here that you're free to fork, modify, and use in your apps. We'll continue adding more content over time, so keep checking back.
  • Security Simulator - Our security simulator lets you test our Security and Firebase Rules while building your app. It lets you simulate various authentication methods and data operations, and it provides helpful feedback to help you track down potential problems. You can find the simulator by going to the URL of your Firebase database.

image

Wrapping Up

We're really excited to show you our security features. The whole team has put an incredible amount of work into making them easy-to-understand and easy-to- use, qualities we strive for in everything we release. We hope you will use these new features and give feedback to help us improve. If you don't have a beta code yet, you can request one here. Also look out for our public beta launch soon.

Here are some resources you can use to get started:

Now go and build something awesome!

Enjoy the holidays and happy coding,

  • Andrew, Anant, Greg, James, Mike, Rob and Vikrum

Anant Narayanan
Dev Evangelist

The entire Firebase team was at AngelHack (silicon valley edition), hosted at the PayPal headquarters (a wonderful venue) in San Jose last weekend, and we had a blast! The event was well attended - we had printed over 400 beta invites and ran out in only an hour (we emailed codes to those who needed them later through the day). The morning of the first day was mostly used to let people recruit participants, organize teams and their ideas. We also had presentations by each of the sponsors (including Firebase), highlighting what they offered and how they could help everyone build their hacks.

We setup our (nice looking, I might add) booth and had some of the crew head out and offer help to all the teams, who were just getting started with some early ideas and designs. Later in the evening, we conducted a breakout session to answer questions and help everyone who had decided to use Firebase for their hack. Andrew Lee, our co-founder, stayed at the venue overnight to continue helping!

There were 85 hacks submitted to hackathon.io (a platform for organizing great hackathons, powered by Firebase!) at the end of the 2-day event. After all the teams got a chance to present, 4 were picked as finalists to go on to the next round, including Rohan Pai who built an amazing tool called FireMap that uses Firebase to generate real-time heatmaps for any website so you can observe your user's behavior. Congratulations Rohan!

Of the 85 submissions, 57 teams used one or more APIs to help build their hack. We're very proud that 25 teams ended up using Firebase to power some aspect of their hack, making us the #1 API used at the hackathon! As a token of our appreciation, every team that used Firebase received a fun lego set, and the top two teams both got an iPad mini each.

The first iPad went to the Reboxed team (along with a glamorous trophy), who built a very useful hack that lets you re-purpose your old phone to act as a sensor, so that you can, for example, attach a smoke detector and setup an alert that will send you an SMS or an email.

The second iPad went to the LevelUp team, who made a great a fitness app that acts as your personal trainer, suggesting exercises and motivating you to do more of them!

Filepicker.io, KeenIO, and Singly were some of the other popular APIs being used by the hackathon participants. API providers are certainly gaining wider adoption amongst the developer community, especially at a hackathon, where using something like Firebase lets you focus on what's really important - your product - instead of having to worry about the not-so-easy task of building a back-end to power it.

We had a great time, and are already looking forward to our next event!

James Tamplin
Co-Founder

Last week we traveled up to Portland for the second annual RealtimeConf!

We attended in 2011 and it was one of the best conferences of the year. At the time we were still operating under our codename, Plankton. (The story of buying Firebase.com is one for another blog post).

There were a number of frameworks and products that were pre-launch or very young last year. Talking to the authors about their hopes and goals was inspiring. It has been fascinating to see how each of them have evolved in the past 12 months, so, as you can imagine, we were keen to go back to Portland and see everyone in person.

Firebase itself has come a long way. In the past year we've solidified our direction, launched in private beta, raised a round offunding and talked to more users than we can count.

This year's RealtimeConf didn't disappoint. The &yet team, who organized, kicked off the conference by guiding the attendees to the venue behind a marching band.

Other highlights included a real-time merit badge, a personalized stamp (yes, the library-book variety) of your twitter handle, and an empty passport for collecting said stamps. It was all pretty epic.

We returned this year as speakers also. Michael gave a 10 minute lighting talk that gave an overview of Firebase.

He gave a high level overview of our core-concepts,

  • Real-time data synchronization.
  • Persistent & reliable data store.
  • Automatic Scaling.
  • Data Accessibility.

talked about common use-cases, and showed off some examples in the Graphical Debugger.

We had an excellent time seeing old faces and meeting new ones. A big thanks to Adam and the &yet team, we'll be back again next year and hopefully we'll see you there too!

James Tamplin
Co-Founder

On Monday we had our first Firebase Drink Up. We've been knee-deep in code since our beta launch in April and we hadn't seen many of our users in-person for a long time.

We decided to fix that.

WeWork labs kindly let us use their space on 2nd Street in SOMA, just a few blocks from our office. It's a gorgeous venue with hardwood floors, pool, foosball and a great vibe. Around 200 Firebase users, friends and startup folks came.

It was also a great chance to meet Rob and Greg, the newest additions to the team!

Vikrum, in-between serving drinks and (new!) Firebase t-shirts, took some great pictures:

Ankur, Janine, and Song from TokBox getting their name-tag on.

Anmol and Jeff chat as people start to trickle in.

Things started to get going; Ivan was having a blast!

We projected a Firebase-powered game of Tetris on the wall, along with the Graphical Debugger so you could see the data changing in real-time.

Everyone had a great time and we wouldn't be where we are without the support of our users, friends, and the startup community in SF. A special thanks to Kaitlin, Seth and Dave at WeWork Labs.

Stay tuned for next time!

James Tamplin
Co-Founder

Today we're pleased to announce that Firebase databases now support SSL. This is the first of many steps we will be taking in the coming months to make Firebase the most secure way to build your cloud application.

This means that both the Firebase JS include and the packets that are transmitted between the Firebase server and your users' browsers will be encrypted.

For developers who are new to Firebase, please see our updated documentation. For developers who have used Firebase previously, you'll need to change two things:

1. Your Firebase JS Include

You should alter the script tag in your page

to point at:

https://cdn.firebase.com/js/client/2.4.2/firebase.js

Concretely this will look like:

<script src="https://cdn.firebase.com/js/client/2.4.2/firebase.js"></script>

2. Your Firebase URL References

Each piece of data inside Firebase has its own URL -- that is one of our core concepts. To use SSL for sending and receiving data from your clients, these URLs will need to be altered to use 'https', for example:

https://SampleChat.firebaseIO.com/

Concretely this will look like:

var myRootRef = new Firebase("https://SampleChat.firebaseIO.com/");

We understand that SSL is just the beginnings of a comprehensive security system. We'll be making many more announcements over the coming months relating to security. Stay tuned!

Andrew Lee
Co-Founder

Yesterday I gave a talk at the O'Reilly Fluent conference in San Francisco outlining some ways of building multiplayer games using a synchronization service as the backend.

The slides are below. The source code for the examples is on GitHub. Enjoy!

Make your-game-multiplayer

View more PowerPoint from Andrew Lee

Share on Twitter Share on Facebook

James Tamplin
Co-Founder

On Thursday night we had a party to celebrate our launch! We had 250 people stop by and we were thrilled to have 9 great presentations of apps built on Firebase. We had another 10 demos on tables around the space.

Here is the first video of the night explaining "What is Firebase?" Enjoy!

Share on Twitter Share on Facebook

Michael Lehenbauer
Core Developer

We’re super excited to introduce Firebase to the world today. Our goal with Firebase is to enable developers to build higher quality apps in a fraction of the time it used to take.

If you haven’t already, please check out our website, especially our fully interactive coding tutorial to see what Firebase is and what it can do for you! And if you’re in San Francisco, we’re hosting a huge launch party tonight at 7PM where we’ll have free food / beer and amazing demos.

What makes us so excited about Firebase is the untapped developer potential we see all around us. Firebase actually grew out of Envolve, our existing chat service for websites. We discovered that our most exciting customers wanted to do more with real-time data than just send chat messages. They wanted to build real-time games, collaboration tools, analytics products, and much more, but it was just too hard with the existing technology.

With Firebase, we aim to solve that and much more. Firebase provides a JavaScript API and cloud service that gives you a real-time, scalable backend that you can access directly from your web application. When you use Firebase as your data store, you don’t need to run your own servers, and your app gets data updates in real-time, meaning your user never has to refresh the page to get new data. This shift lets you build better apps with less work. Firebase can be used to build fully interactive websites, games, collaboration tools, and much more. For more details on Firebase and our core tenets, see here.

Over the past few months we’ve been giving Firebase to developers to see how they use it and what they’re able to build, and we’ve been incredibly impressed and inspired by the results. When you lower the technology barrier for building real-time interactive apps, developers truly shine and build amazing things! We’ll be showcasing many of their apps here in our blog over the coming weeks.

We’d love for you to join us in our journey. Please try out our interactive tutorial, sign up for the beta, and follow us on our blog and twitter!

Share on Twitter Share on Facebook